When Moises committed the fixes for WSS (which was a great patch), wdoekes had
a few style nits that were on the review that got missed. This patch resolves
what I *think* were all of the ones that were still on the review.
Thanks to both moy for the patch, and wdoekes for the reviews.
Review: https://reviewboard.asterisk.org/r/3248/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@426209 65c4cc65-6c06-0410-ace0-fbb531ad65f3
In libsrtp 1.5.0, crypto_get_random is no longer resolved simply by including
srtp.h. Now, one must include crypto_kernel.h as well. As it turns out, this
header file has been provided by the library since 2006, so this is a
relatively benign change.
ASTERISK-24436 #close
Reported by: Patrick Laimbock
........
Merged revisions 426140 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@426141 65c4cc65-6c06-0410-ace0-fbb531ad65f3
There are two aspects to the vulnerability:
(1) res_jabber/res_xmpp use SSLv3 only. This patch updates the module to use
TLSv1+. At this time, it does not refactor res_jabber/res_xmpp to use the
TCP/TLS core, which should be done as an improvement at a latter date.
(2) The TCP/TLS core, when tlsclientmethod/sslclientmethod is left unspecified,
will default to the OpenSSL SSLv23_method. This method allows for all
encryption methods, including SSLv2/SSLv3. A MITM can exploit this by
forcing a fallback to SSLv3, which leaves the server vulnerable to POODLE.
This patch adds WARNINGS if a user uses SSLv2/SSLv3 in their configuration,
and explicitly disables SSLv2/SSLv3 if using SSLv23_method.
For TLS clients, Asterisk will default to TLSv1+ and WARN if SSLv2 or SSLv3 is
explicitly chosen. For TLS servers, Asterisk will no longer support SSLv2 or
SSLv3.
Much thanks to abelbeck for reporting the vulnerability and providing a patch
for the res_jabber/res_xmpp modules.
Review: https://reviewboard.asterisk.org/r/4096/
ASTERISK-24425 #close
Reported by: abelbeck
Tested by: abelbeck, opsmonitor, gtjoseph
patches:
asterisk-1.8-jabber-tls.patch uploaded by abelbeck (License 5903)
asterisk-11-jabber-xmpp-tls.patch uploaded by abelbeck (License 5903)
AST-2014-011-1.8.diff uploaded by mjordan (License 6283)
AST-2014-011-11.diff uploaded by mjordan (License 6283)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@425986 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The outboundproxy setting is currently ignored when sending OPTIONS requests
as a result of the qualify setting. This means that if an Asterisk server is
unable to send the packet directly to a peer, it is unable to qualify any
non-inbound registered peer (e.g. a peer SIP Trunk).
This patch grabs the outboundproxy information for a peer when a qualify
attempt is being constructed and, if it finds the information, uses it
when sending the OPTIONS request.
Review: https://reviewboard.asterisk.org/r/3948
ASTERISK-24063 #close
Reported by: Damian Ivereigh
patches:
outboundproxy-dai.patch uploaded by Damian Ivereigh (License 6632)
........
Merged revisions 425818 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@425819 65c4cc65-6c06-0410-ace0-fbb531ad65f3
In the case where the ICE negotiation had not yet started current state would
get wiped when it shouldn't.
This also removes channel binding as in practice this does not work well with
other implementations.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@425644 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Fax gateway session objects can be re-used, causing the
same gateway session to be added to faxregistry.container
more than once. This change causes fax_session_new to
remove the reserved session from the container before
it's id is changed, ensuring it's possible for the
session to be freed.
ASTERISK-24392 #close
Reported by: Corey Farrell
Review: https://reviewboard.asterisk.org/r/4049/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@425457 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The main Makefile has a target test called 'badshell' that tests if
DESTDIR does not happen to have an an-expanded tilde (~). This might
be the case if you run: make install DESTDIR=~/somewhere/
That test also disallowed valid tildes in directory names. The test is
now changed to only trigger on a tilde at the start of the path.
ASTERISK-13797 #close
Reported by: Tzafrir Cohen
Review: https://reviewboard.asterisk.org/r/4064/
........
Merged revisions 425291 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@425292 65c4cc65-6c06-0410-ace0-fbb531ad65f3
If a device re-INVITEs at the same time as the dialog is hung up, and
if then the ACK to the re-INVITE never reaches Asterisk, chan_sip would
fail to destroy the dialog after a while. This resulted in (most
prominently) file handle leaks.
(Patch reindented by me.)
ASTERISK-20784 #close
ASTERISK-15879 #close
Reported by: Torrey Searle, Nitesh Bansal
Patches:
reinvite_ack_timeout.patch uploaded by Torrey Searle (License #5334)
patch_asterisk_20784.txt uploaded by Nitesh Bansal (License #6418)
Reviewboard: https://reviewboard.asterisk.org/r/4052/
(testcase can be found at r4051)
........
Merged revisions 425068 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@425069 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When starting ice if there is not at least one remote ice candidate with an RTP
component asterisk will crash. This is due to an assertion in pjnath as it
expects at least one candidate with an RTP component. Added a check to make
sure at least one candidate contains an RTP component and at least one candidate
has an RTCP component.
ASTERISK-24383 #close
Review: https://reviewboard.asterisk.org/r/4039/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@425029 65c4cc65-6c06-0410-ace0-fbb531ad65f3
On systems with lots of RAM (e.g. 24GB) /proc/sys/fs/file-max divided
by two can exceed the per-process file limit of 2^20. This patch
ensures the value is capped.
(Patch cleaned up by me.)
ASTERISK-24011 #close
Reported by: Michael Myles
Patches:
safe_asterisk-ulimit.diff uploaded by Michael Myles (License #6626)
........
Merged revisions 424875 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@424878 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The underlying library, pjnath, that res_rtp_asterisk uses for ICE
support does not have support for ICE-TCP. As candidates are
passed through directly to it this can cause error messages to occur
when it receives something unexpected (such as a TCP candidate).
This change merely ignores all non-UDP candidates so they never
reach pjnath.
ASTERISK-24326 #close
Reported by: Joshua Colp
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@424852 65c4cc65-6c06-0410-ace0-fbb531ad65f3
If SendMessage encounters an error (such as incorrect input provided to the
action), it will currently return -1. Actions should only return -1 if the
connection to the AMI client should be closed. In this case, SendMessage
causing the client to disconnect is inappropriate.
This patch causes the action to return 0, which simply causes the action to
fail.
Review: https://reviewboard.asterisk.org/r/4024
ASTERISK-24354 #close
Reported by: Peter Katzmann
patches:
sendMessage.patch uploaded by Peter Katzmann (License 5968)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@424690 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This change fixes an issue where ICE candidates put into the SDP did not contain
the 'raddr' and 'rport' information for server reflexive and relay candidates.
#SIPit31
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@424151 65c4cc65-6c06-0410-ace0-fbb531ad65f3
'==' is bashism (bashspecific, fails when dash is /bin/sh). Anyway, a
'case' works better there.
Originally committed in r375059 and r375060 on 2012-10-16 21:13:08.
ASTERISK-20567 #close
Reported by: Tzafrir Cohen
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@424117 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Make astob2 REF_DEBUG output an invalid object line when an invalid ao2
object ref/unref is attempted. This is similar to the
constructor/destructor lines.
* Fixed refcounter.py to handle skewed objects that have
constructor/destructor states.
* Made refcounter.py highlight the invalid ao2 object refs by putting them
in their own section of the processed output file.
* Made refcounter.py highlight unreffing an object by more than one that
results in a negative ref count and the object being destroyed. The
abnormally destroyed object is reported in the invalid and finalized
object sections of the output.
Review: https://reviewboard.asterisk.org/r/3971/
........
Merged revisions 423349 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@423400 65c4cc65-6c06-0410-ace0-fbb531ad65f3
If faxing fails at a very early stage, then it is possible for
us to pass a NULL t30 state pointer to spandsp, which spandsp
is none too pleased with.
This patch ensures that we pass the correct pointer to spandsp
in the situation where we have not yet set our local t30 state
pointer.
ASTERISK-24301 #close
Reported by Matt Jordan
Patches:
ASTERISK-24301-fax.diff Uploaded by Mark Michelson (License #5049)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@423360 65c4cc65-6c06-0410-ace0-fbb531ad65f3
If you call ast_category_insert with a match category that doesn't exist, the
list traverse runs out of 'next' categories and you get a SEGV. This patch
adds check for the end-of-list condition and changes the signature to return
an int for success/failure indication instead of a void.
The only consumer of this function is manager and it was also changed to use
the return value.
Tested by: George Joseph
Review: https://reviewboard.asterisk.org/r/3993/
........
Merged revisions 423276 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@423277 65c4cc65-6c06-0410-ace0-fbb531ad65f3
1. The number of file descriptors an ioqueue instance can handle is fixed, so we
now spawn the required number to handle the load.
2. Our transport identifiers were exceeding the range supported by pjnath.
3. The TURN client did not set up client binding causing needless bandwidth usage.
4. The code no longer updates address information on each packet.
5. STUN traffic was getting looped back to Asterisk instead of going through the
TURN server.
6. Synchronization now ensures things are completely setup or destroyed.
7. Logging now reflects the target the TURN server is sending to/receiving from
on our behalf.
ASTERISK-23577 #close
Reported by: Jay Jideliov
ASTERISK-23634 #close
Reported by: Roman Skvirsky
Review: https://reviewboard.asterisk.org/r/3982/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@423150 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This fixes a situation in Asterisk 1.8 and 11 where ast_channel_bridge
could cause a bouncing native bridge. In the case of the
dial_LS_options test, this was a remote RTP bridge which caused the
audio path to continually cycle between Asterisk and the remote
endpoints generating a large number of SIP messages and delaying the
test long enough to cause it to fail (checking timing was part of the
test). The root cause was that the code to decide whether to use native
bridging was expecting a time-remaining value of 0 to be the default
instead of the actual default value of -1. A value of 0 or negative
numbers could also be generated by preceding code in some
circumstances. Both issues are addressed in this patch.
ASTERISK-24211 #close
Reported by: Matt Jordan
Review: https://reviewboard.asterisk.org/r/3987/
........
Merged revisions 423006 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@423010 65c4cc65-6c06-0410-ace0-fbb531ad65f3
ast_config_text_file_save() currently truncates include files as they
are processed. If a subsequent include file or the main config file has
a permissions error that prevents writing, earlier include files are left
truncated resulting in a frantic search for backups.
This patch causes ast_config_text_file_save to check for write access
on all files before it truncates any of them.
Will be applied 1.8 > trunk.
Tested by: George Joseph
Review: https://reviewboard.asterisk.org/r/3986/
........
Merged revisions 422900 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@422903 65c4cc65-6c06-0410-ace0-fbb531ad65f3
